mirror of
https://codeberg.org/scip/jaildk.git
synced 2025-12-17 20:51:03 +01:00
changed vnet ipv6 setup, using routing not nat
This commit is contained in:
Thomas von Dein
61
jaildk
61
jaildk
@@ -336,7 +336,6 @@ jaildk_rc_pf() {
|
|||||||
# map_web_exposed_port=80
|
# map_web_exposed_port=80
|
||||||
# map_web_mapped_port=8080
|
# map_web_mapped_port=8080
|
||||||
# map_web_exposed_ip="123.12.12.3"
|
# map_web_exposed_ip="123.12.12.3"
|
||||||
# map_web_exposed_ip6="2a01::ff"
|
|
||||||
# map_ntp_proto="udp"
|
# map_ntp_proto="udp"
|
||||||
# map_ntp_exposed_port=123
|
# map_ntp_exposed_port=123
|
||||||
# map_ntp_mapped_port=1234
|
# map_ntp_mapped_port=1234
|
||||||
@@ -352,7 +351,6 @@ jaildk_rc_pf() {
|
|||||||
eval _mport=\${map_${map}_mapped_port:-${_eport}}
|
eval _mport=\${map_${map}_mapped_port:-${_eport}}
|
||||||
eval _eports=\${map_${map}_exposed_ports}
|
eval _eports=\${map_${map}_exposed_ports}
|
||||||
eval _eip=\${map_${map}_exposed_ip:-$extif}
|
eval _eip=\${map_${map}_exposed_ip:-$extif}
|
||||||
eval _eip6=\${map_${map}_exposed_ip6:-$extif}
|
|
||||||
|
|
||||||
if test -z ${_eport} -o -z ${_eip}; then
|
if test -z ${_eport} -o -z ${_eip}; then
|
||||||
echo "Warning: ignoring incomplete map: $map!"
|
echo "Warning: ignoring incomplete map: $map!"
|
||||||
@@ -366,51 +364,38 @@ jaildk_rc_pf() {
|
|||||||
fi
|
fi
|
||||||
echo "# from map $map" >> $ruleset
|
echo "# from map $map" >> $ruleset
|
||||||
jaildk_pf_map $extif ${_proto} ${_eip} ${_eport} ${_mport} ${ip} >> $ruleset
|
jaildk_pf_map $extif ${_proto} ${_eip} ${_eport} ${_mport} ${ip} >> $ruleset
|
||||||
|
|
||||||
if test -n "${_eip6}" -a -n "$ip6"; then
|
|
||||||
jaildk_pf_map $extif ${_proto} ${_eip6} ${_eport} ${_mport} ${ip6} inet6 >> $ruleset
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
for port in ${_eports}; do
|
for port in ${_eports}; do
|
||||||
jaildk_pf_map $extif ${_proto} ${_eip} ${port} ${port} ${ip} >> $ruleset
|
jaildk_pf_map $extif ${_proto} ${_eip} ${port} ${port} ${ip} >> $ruleset
|
||||||
|
|
||||||
if test -n "${_eip6}" -a -n "$ip6"; then
|
|
||||||
jaildk_pf_map $extif ${_proto} ${_eip6} ${port} ${port} ${ip6} inet6 >> $ruleset
|
|
||||||
fi
|
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# masq_ip="123.12.12.33"
|
# masq_ip="123.12.12.33"
|
||||||
# masq_ip6=2a01::..."
|
|
||||||
if test -n "$ip" -a -n "${masq_ip}"; then
|
if test -n "$ip" -a -n "${masq_ip}"; then
|
||||||
jaildk_pf_nat $extif $ip ${masq_ip} >> $ruleset
|
jaildk_pf_nat $extif $ip ${masq_ip} >> $ruleset
|
||||||
fi
|
fi
|
||||||
if test -n "$ip6" -a -n "${masq_ip6}"; then
|
|
||||||
jaildk_pf_nat $extif $ip ${masq_ip} inet6 >> $ruleset
|
|
||||||
fi
|
|
||||||
|
|
||||||
if test -n "$ip" -a -n "$rules"; then
|
if test -n "$ip" -a -n "$rules"; then
|
||||||
# rules="open web"
|
# rules="open web"
|
||||||
|
# only required for ipv6, ipv4 is already opened with exposed ports
|
||||||
# rule_open="any"
|
# rule_open="any"
|
||||||
# rule_web_proto="tcp"_
|
# rule_web_proto="tcp"
|
||||||
# rule_web_port="80,443"
|
# rule_web_port="80,443"
|
||||||
for rule in $rules; do
|
for rule in $rules; do
|
||||||
eval _proto=\${rule_${rule}_proto:-tcp}
|
eval _proto=\${rule_${rule}_proto:-tcp}
|
||||||
eval _port=\${rule_${rule}_port}
|
eval _port=\${rule_${rule}_port}
|
||||||
|
|
||||||
if test -n "${_port}"; then
|
if test -n "${_port}"; then
|
||||||
echo "# from map $map" >> $ruleset
|
if test -n "${ip6}"; then
|
||||||
jaildk_pf_rule $extif ${_proto} ${ip} ${_port} >> $ruleset
|
echo "# from map $map" >> $ruleset
|
||||||
|
jaildk_pf_rule $extif ${_proto} ${ip6} ${_port} inet6 >> $ruleset
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
echo "Warning: incomplete rule: $rule!"
|
echo "Warning: incomplete rule: $rule!"
|
||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if test -n "${ip6}"; then
|
|
||||||
jaildk_pf_rule $extif ${_proto} ${ip6} ${_port} inet6 >> $ruleset
|
|
||||||
fi
|
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
@@ -1976,19 +1961,24 @@ usage_vnet() {
|
|||||||
echo
|
echo
|
||||||
echo "You need the following in your /etc/rc.conf:"
|
echo "You need the following in your /etc/rc.conf:"
|
||||||
echo " cloned_interfaces=\"bridge0\""
|
echo " cloned_interfaces=\"bridge0\""
|
||||||
|
echo " ipv6_ifconfig_bridge0=\"2a01:...::1/80\""
|
||||||
echo " ifconfig_bridge0=\"name jailsw0 up 172.20.20.1/24\""
|
echo " ifconfig_bridge0=\"name jailsw0 up 172.20.20.1/24\""
|
||||||
|
echo " ipv6_gateway_enable=\"YES\""
|
||||||
echo
|
echo
|
||||||
echo "And something like this in your jail.conf:"
|
echo "And something like this in your jail.conf:"
|
||||||
echo " billa {"
|
echo " billa {"
|
||||||
echo " vnet;"
|
echo " vnet;"
|
||||||
echo " exec.created = \"/home/scip/git/jaildk/jaildk vnet $name start -b jailsw0\";"
|
echo " exec.created = \"/jail/bin/jaildk vnet $name start -b jailsw0\";"
|
||||||
echo " exec.prestop = \"/home/scip/git/jaildk/jaildk vnet $name stop -b vm-jailnet\";"
|
echo " exec.prestop = \"/jail/bin/jaildk vnet $name stop -b vm-jailnet\";"
|
||||||
echo " }"
|
echo " }"
|
||||||
echo
|
echo
|
||||||
echo "Finally, the jail.conf for a vnet jail needs to contain these two"
|
echo "Finally, the jail.conf for a vnet jail needs to contain these parameters:"
|
||||||
echo "parameters:"
|
|
||||||
echo " ip=172.20.20.10/24"
|
echo " ip=172.20.20.10/24"
|
||||||
echo " gw=172.20.20.1"
|
echo " gw=172.20.20.1"
|
||||||
|
echo
|
||||||
|
echo "and if using v6 v6 address in bridge subet, gw6 is default gw => bridge interface"
|
||||||
|
echo " ip6=2a01:.....ff"
|
||||||
|
echo " gw6=2a01:.....1"
|
||||||
|
|
||||||
echo "You'll also need PF nat rules in order to be able to reach the outside"
|
echo "You'll also need PF nat rules in order to be able to reach the outside"
|
||||||
echo "from the jail or vice versa."
|
echo "from the jail or vice versa."
|
||||||
@@ -2035,25 +2025,30 @@ jaildk_vnet() {
|
|||||||
epairA=$(ifconfig epair create)
|
epairA=$(ifconfig epair create)
|
||||||
epairB="${epairA%?}b"
|
epairB="${epairA%?}b"
|
||||||
|
|
||||||
ifconfig $epairA name $vnethost
|
ex ifconfig $epairA name $vnethost
|
||||||
ifconfig $epairB name $vnetjail
|
ex ifconfig $epairB name $vnetjail
|
||||||
|
|
||||||
# if vm-bhyve is enabled we could use this as well:
|
# if vm-bhyve is enabled we could use this as well:
|
||||||
#vm switch add $BRIDGE $vnethost
|
#vm switch add $BRIDGE $vnethost
|
||||||
|
|
||||||
# make sure
|
# make sure
|
||||||
ifconfig $vnetjail up
|
ex ifconfig $vnetjail up
|
||||||
ifconfig $vnethost up
|
ex ifconfig $vnethost up
|
||||||
|
|
||||||
# add the host to the bridge
|
# add the host to the bridge
|
||||||
ifconfig $BRIDGE addm $vnethost up
|
ex ifconfig $BRIDGE addm $vnethost up
|
||||||
|
|
||||||
# add the jail to the bridge (gets invisible from host)
|
# add the jail to the bridge (gets invisible from host)
|
||||||
ifconfig $vnetjail vnet $jail
|
ex ifconfig $vnetjail vnet $jail
|
||||||
|
|
||||||
# configure the jail network stack inside the jail
|
# configure the jail network stack inside the jail
|
||||||
jexec $jail ifconfig $vnetjail $ip up
|
ex jexec $jail ifconfig $vnetjail $ip up
|
||||||
jexec $jail route add default $gw
|
ex jexec $jail route add default $gw
|
||||||
|
|
||||||
|
if -n "$ip6" -a -n "$gw6"; then
|
||||||
|
ex jexec $jail ifconfig $vnetjail inet6 $ip6
|
||||||
|
ex jexec $jail route -6 add default $gw6
|
||||||
|
fi
|
||||||
;;
|
;;
|
||||||
stop)
|
stop)
|
||||||
# remove vnet from the jail
|
# remove vnet from the jail
|
||||||
|
|||||||
Reference in New Issue
Block a user